What is the difference between Session.Abandon() and Session.Clear()

asp.netSessionasp.net Session

asp.net Problem Overview

What is the difference between destroying a session and removing its values? Can you please provide an example demonstrating this?

I searched for this question, but don't grasp total answer. Some answers are:

  • Session.Abandon() destroys the session
  • Session.Clear() just removes all values

A friend told me this:

> Clearing the session will not unset > the session, it still exists with the > same ID for the user but with the > values simply cleared. > > Abandon will destroy the session > completely, meaning that you need to > begin a new session before you can > store any more values in the session > for that user.

The below code works and doesn't throw any exceptions.

Session.Abandon();
Session["tempKey1"] = "tempValue1";

> When you Abandon() a Session, you (or > rather the user) will get a new > SessionId

When I test Session, it doesn't makes any change when I Abandon the session.

I just find one difference: session.Abandon() raises Session_End event

asp.net Solutions

Solution 1 - asp.net

Clear - Removes all keys and values from the session-state collection.

Abandon - removes all the objects stored in a Session. If you do not call the Abandon method explicitly, the server removes these objects and destroys the session when the session times out.
It also raises events like Session_End.

Session.Clear can be compared to removing all books from the shelf, while Session.Abandon is more like throwing away the whole shelf.

You say:

> When I test Session, it doesn't makes any change when I Abandon the session.

This is correct while you are doing it within one request only.
On the next request the session will be different. But the session ID can be reused so that the id will remain the same.

If you will use Session.Clear you will have the same session in many requests.

Generally, in most cases you need to use Session.Clear.
You can use Session.Abandon if you are sure the user is going to leave your site.

So back to the differences:

  1. Abandon raises Session_End request.
  2. Clear removes items immidiately, Abandon does not.
  3. Abandon releases the SessionState object and its items so it can ba garbage collected to free the resources. Clear keeps SessionState and resources associated with it.

Solution 2 - asp.net

When you Abandon() a Session, you (or rather the user) will get a new SessionId (on the next request). When you Clear() a Session, all stored values are removed, but the SessionId stays intact.

Solution 3 - asp.net

This is sort of covered by the various responses above, but the first time I read this article I missed an important fact, which led to a minor bug in my code...

Session.Clear() will CLEAR the values of all the keys but will NOT cause the session end event to fire.

Session.Abandon() will NOT clear the values on the current request. IF another page is requested, the values will be gone for that one. However, abandon WILL throw the event.

So, in my case (and perhaps in yours?), I needed Clear() followed by Abandon().

Solution 4 - asp.net

> this code works and dont throw any exception: > > Session.Abandon();
> Session["tempKey1"] = "tempValue1";

It's because when the Abandon method is called, the current Session object is queued for deletion but is not actually deleted until all of the script commands on the current page have been processed. This means that you can access variables stored in the Session object on the same page as the call to the Abandon method but not in any subsequent Web pages.

For example, in the following script, the third line prints the value Mary. This is because the Session object is not destroyed until the server has finished processing the script.

<% 
  Session.Abandon  
  Session("MyName") = "Mary" 
  Reponse.Write(Session("MyName")) 
%>

If you access the variable MyName on a subsequent Web page, it is empty. This is because MyName was destroyed with the previous Session object when the page containing the previous example finished processing.

from MSDN Session.Abandon

Solution 5 - asp.net

Clearing a session removes the values that were stored there, but you still can add new ones there. After destroying the session you cannot add new values there.

Solution 6 - asp.net

clear-its remove key or values from session state collection..

abandon-its remove or deleted session objects from session..

Solution 7 - asp.net

Session.Abandon()

will destroy/kill the entire session.

Session.Clear()

removes/clears the session data (i.e. the keys and values from the current session) but the session will be alive.

Compare to Session.Abandon() method, Session.Clear() doesn't create the new session, it just make all variables in the session to NULL.

Session ID will remain same in both the cases, as long as the browser is not closed.

Session.RemoveAll()

It removes all keys and values from the session-state collection.

Session.Remove()

It deletes an item from the session-state collection.

Session.RemoveAt()

It deletes an item at a specified index from the session-state collection.

Session.TimeOut()

This property specifies the time-out period assigned to the Session object for the application. (the time will be specified in minutes).

If the user does not refresh or request a page within the time-out period, then the session ends.

Solution 8 - asp.net

Existence of sessionid can cause the session fixation attack that is one of the point in PCI compliance. To remove the sessionid and overcome the session fixation attack, read this solution - How to avoid the Session fixation vulnerability in ASP.NET?.

Solution 9 - asp.net

I think it would be handy to use Session.Clear() rather than using Session.Abandon().

Because the values still exist in session after calling later but are removed after calling the former.

Solution 10 - asp.net

this code works and dont throw any exception:

Session.Abandon();  
Session["tempKey1"] = "tempValue1";

One thing to note here that Session.Clear remove items immediately but Session.Abandon marks the session to be abandoned at the end of the current request. That simply means that suppose you tried to access value in code just after the session.abandon command was executed, it will be still there. So do not get confused if your code is just not working even after issuing session.abandon command and immediately doing some logic with the session.

Categories
Recommended asp.net Solutions
Recommended Session Solutions

Previous Solution:

What is an API key?

ApiSecurityTerminologyApi Key

Next Solution:

Unit test, NUnit or Visual studio?

C#Visual StudioUnit TestingNunit

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionbackdoorView Question on Stackoverflow
Solution 1 - asp.netDmytrii NagirniakView Answer on Stackoverflow
Solution 2 - asp.netHans KestingView Answer on Stackoverflow
Solution 3 - asp.netNRCView Answer on Stackoverflow
Solution 4 - asp.netSevenView Answer on Stackoverflow
Solution 5 - asp.netRaYellView Answer on Stackoverflow
Solution 6 - asp.netmaxyView Answer on Stackoverflow
Solution 7 - asp.netLaxmiView Answer on Stackoverflow
Solution 8 - asp.netSheo NarayanView Answer on Stackoverflow
Solution 9 - asp.netPraView Answer on Stackoverflow
Solution 10 - asp.netBikiView Answer on Stackoverflow